Mitigation Strategies

[{'type': 'paragraph', 'content': 'Immediate mitigation steps include upgrading the eWON firmware to versions later than 13.0, specifically versions 13.1s0 or higher, where the authentication bypass vulnerability is fixed.'}, {'type': 'paragraph', 'content': 'Additionally, upgrading to firmware 13.3s0 or later addresses the weak password encryption scheme.'}, {'type': 'paragraph', 'content': "Until the firmware is updated, restrict network access to the device's web interface to trusted users only and monitor for suspicious POST requests to /wrcgi.bin/wsdReadForm."}, {'type': 'paragraph', 'content': 'Consider changing default usernames and passwords and applying network segmentation to limit exposure.'}] [2]

Useful 0 Not Useful 0

Executive Summary

CVE-2019-25470 is an authentication bypass vulnerability affecting eWON Firmware versions 12.2 through 13.0. Attackers with minimal privileges can exploit the wsdReadForm endpoint by sending specially crafted POST requests containing base64-encoded partial credentials and a manipulated wsdList parameter.

This exploitation allows attackers to extract encrypted passwords for all users on the device. These encrypted passwords can then be decrypted using a hardcoded XOR key embedded in the firmware, effectively exposing sensitive user credentials without requiring valid authentication.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows unauthorized attackers to bypass authentication and retrieve sensitive user data, including encrypted passwords for all users on the affected device.

Because the passwords can be decrypted using a hardcoded XOR key, attackers can gain access to cleartext credentials, potentially leading to unauthorized access to the device and its resources.

Such unauthorized access can compromise the security and integrity of industrial systems relying on the eWON device, potentially leading to data breaches, operational disruptions, or further exploitation.

Useful 0 Not Useful 0

Compliance Impact

I don't know

Useful 0 Not Useful 0

Detection Guidance

[{'type': 'paragraph', 'content': 'This vulnerability can be detected by monitoring for specially crafted POST requests sent to the endpoint /wrcgi.bin/wsdReadForm on eWON devices running firmware versions 12.2 to 13.0.'}, {'type': 'paragraph', 'content': 'An attacker sends POST requests containing base64-encoded partial credentials and a manipulated wsdList parameter to extract encrypted passwords.'}, {'type': 'paragraph', 'content': 'To detect exploitation attempts, you can use network monitoring tools or command-line utilities to look for POST requests to this specific URL.'}, {'type': 'list_item', 'content': 'Use tcpdump or Wireshark to capture HTTP POST traffic targeting /wrcgi.bin/wsdReadForm.'}, {'type': 'list_item', 'content': "Example tcpdump command: tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep 'POST /wrcgi.bin/wsdReadForm'"}, {'type': 'list_item', 'content': 'Use curl or similar tools to test the endpoint with crafted POST requests containing base64-encoded partial credentials to verify if the device is vulnerable.'}] [1, 2]

Useful 0 Not Useful 0